On Wed, Jun 23, 2010 at 4:13 AM, Alan DeKok <al...@deployingradius.com>wrote:
> > > I do not think pam_radius_auth is behaving wrongly - looking at the > > code is simple enough, I do get "All RADIUS servers failed to respond" > > in the SYSLOG, so it should clearly be returning PAM_IGNORE as > documented. > > Double-check that it's returning PAM_IGNORE. Maybe source code mods > to syslog "RETURNING PAM_IGNORE". > > If it is returning PAM_IGNORE, then it's a PAM problem. Ask the > question again on the PAM list. > > I've added logging at the end of talk_radius() to confirm that it was returning PAM_IGNORE, and it was indeed the case. I posted to the pam list, where someone suggested I used pam_debug to see how the stack reacted to PAM_IGNORE: ------8<------- auth required pam_debug.so auth=ignore auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so debug audit likeauth nullok auth required /lib/security/$ISA/pam_deny.so auth required pam_nologin.so ------8<------- I can indeed login with the local auth via pam_unix in this case, so I'm back at looking at the module's code.. I know talk_radius() is returning PAM_IGNORE, here's the very last part of the function with my mod: ------8<------- if (!server) { _pam_log(LOG_ERR, "All RADIUS servers failed to respond."); if (conf->localifdown) { _pam_log(LOG_ERR, "Retval = PAM_IGNORE"); retval = PAM_IGNORE; } else retval = PAM_AUTHINFO_UNAVAIL; } else { retval = PAM_SUCCESS; } return retval; } ------8<------- I'll have a look at the rest of the flow, see if it could have been overriden elsewhere after that call.. I've never coded a pam module, am I correct to guess that since I'm calling the module with an auth call from the stack I should be looking at pam_sm_authenticate() ? Martin
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html